Hi There,
I've been wracking my brains trying to get Windows 7 authenticating against a
MIT Kerberos 5 Realm (which is running on an Arch Linux server).
I've done the following on the server (aka dc1):
Installed and configured a NTP time server
Installed and configured DHCP and DNS (setup for the domain tnet.loc)
Installed Kerberos from source
Setup the database
Configured the keytab
Setup the ACL file with: *@TNET.LOC *
Added a policy for my user and my machine:
addpol users
addpol admin
addpol hosts
ank -policy users
[email protected]
ank -policy admin tom/
[email protected]
ank -policy hosts host/wdesk3.tnet.loc -pw MYPASSWORDHERE
I then did the following to the windows 7 client (aka wdesk3):
Made sure the ip address was supplied by my DHCP server and dc1.tnet.loc pings ok
Set the internet time server to my linux server (aka dc1.tnet.loc)
Used ksetup to configure the realm:
ksetup /SetRealm TNET.LOC
ksetup /AddKdc dc1.tnet.loc
ksetip /SetComputerPassword MYPASSWORDHERE
ksetip /MapUser * *
After some googl-ing I found that DES encryption was disabled by Windows 7 by default and I turned the policy on to support DES encryption over Kerberos
Then I rebooted the windows client
However after doing all that I still cannot login from my Windows client. :(
Looking at the logs on the server; the request looks fine and everything works great, I think the issue is that the response from the KDC is not recognized by the Windows Client and a generic login error appears: "Login Failure: User name or password is invalid".
The log file for the server looks like this (I tail'ed this so I know it's happening when the Windows machine attempts the login):
If I supply an invalid realm in the login window I get a completely different error message, so I don't think it's a connection problem from the client to the server? But I can't find any error logs on the Windows machine? (anyone know where these are?)
If I try: runas /netonly /user:
[email protected] cmd.exe everything works (although I don't get anything appear in the server logs, so I'm wondering if it's not touching the server for this??), but if I run: runas /user:
[email protected] cmd.exe I get the same authentication error.
Any Kerberos Gurus out there who can give me some ideas as to what to try next? pretty please?
